turkish standards institution common criteria ... · turkish standardisation institution common...

TURKISH STANDARDS INSTITUTION

COMMON CRITERIA CERTIFICATION SCHEME

Issue Date : 01/09/2009

Revision Date : 19/06/2015

Revision N. : 07

INTRODUCTION DOCUMENT

(SCHEME DOCUMENT)

TURKISH STANDARDISATION INSTITUTION


2

TABLE OF CONTENTS

1. Abbreviations

2.CCCS General Survey

3.CCCS Process Definition

3.1 Product Evaluation

3.2 Evaluation of Protection Profile

3.3 Evaluation of Assurance Levels

3.4 Tests and Vulnerability Analysis of Assurance Levels

3.5 Evaluation of Technical Evaluation Report

3.6 Meetings

3.7 Observation Report/Observation Decision

3.8 Observation Notes

3.9 Product List

3.10 Certification Report and Certificate Preparation

3.11 Certificate Maintenance

3.12 Validity Of The Certificate and Assurance Continuity

4.Organisation

5.Evaluation Laboratories

6.Quality System

7.Objections and Complaints

8. Confidentiality, Equity and Information Security



3

1. Abbreviations

CC : Common Criteria

CCCS : Common Criteria Certification Scheme

CCTL : Common Criteria Testing Laboratory

CCRA : Common Criteria Recognition Arrangement

ST : Security Target

PP : Protection Profile

TOE : Target of Evaluation

WUT : Work Unit Table

ETR : Evaluation Technical Report

CCEM: Common Criteria Evaluation Metodology

OR : Observation Report

OD : Observation Decision

EAL : Evaluation Assurance Level

RN : Record Note



4

2. CCCS General Survey

It is the security Standard (ISO 15408) that was adopted by International Standards

Organization (ISO) in 1999 as International Information Technologies Security evaluation

Standard and having basis in TCSEC and ITSEC standars, in order to establish the security

levels of product and/or systems of Common Criteria information technologies and to test in

indipendent laboratories. It is the security standard (ISO 15408) accepted by International

Standards Organization in 1999 as International IT Security Evaluation Standard based on

TCSEC and ITSEC standards and developed to confirm security levels and to test in

independent laboratories of product and/or systems on behalf of Turkey Turkish Standards

Institution. Turkish Standards Institution in the name of Turkey subscribing the Common

Criteria Recognition Aggreement been signed by countries which were accepted this standard

in 2003, has approved the evluations of certificate producer countries and has implemented

the Common Criteria Certification Scheme established in TSE Certification Center.

Common Criteria Certification Scheme;

Authorizes the evaluation laboratory of Common Criteria,

Evaluates the performance of Evaluation laboratory of Common Criteria,

Gives guaranty about compatibility to Evaluation’s Common Criteria Standard and

Common Evaluation Methodology,

Supports the evaluations, takes the lead,

Makes technical prophesy to evaluations,

Examines the evaluation reports,

Prepares Common Criteria Certificate Report,

Prepares Common Criteris Certificate,

Controls Common Criteria Certification Scheme.

During the certification period Common Criteria Inspection Experts take into consideration

Common Criteria Standards, Common Evaluation Methodology, international and national



5

Common Criteria standard official meanings, relevant Common Criteria Certification Scheme

publications and Turkish Standards Institution’s CCCS procedures.

3. CCCS PROCESS DEFINITON

After the conditions in Common Criteria Certification Application Procedure fulfilled initially

Certification Expert, Common Criteria Inspection Expert(s) and External Inspection

Expert(s) shall be assigned. The following part of this period goes according to “Common

Criteria Certification Procedure”, “Common Criteria Certification Plan”, “Common Criteria

Certification Result Evaluation Procedure” and the structure existing detaled in several

instructions. “Evaluation Work Plan” which is prepared by CCTL Evaluation Expert shall be

overviewed according to this structure and in addition to ST or PP of product, “Work Unit

Table” shall be prepared and evaluation period will begin. Common Criteria Technical

Responsible monitors and approves all the activities of Common Criteria Inspection Expert

and External Inspection Expert(s).

First, “Kick-Off Meeting” shall be conducted, followed by “Product Training Meeting” and

“Laboratory Orientation Meeting”. With these meetings evaluation period will begin.

Evaluation Level is the time period that Common Criteria Inspection Experts overview the

CCTL activities performed according to “Evaluation Work Plan” and “Certification Plan” of

CCCS, evaluate the observation reports and in case of necessity support to CCTL. During the

evaluation period, if CCCS authorities consider it necessary, in coordination with CCTL

authorities, they may join to evaluation performances and observe the performances on the

spot.

Evaluation period starts in parallel with the evaluation period of CCTL, and continues with

revisions. All required activities to provide security relating to the evaluations, to be

conducted in accordance with the conditions declared in CCCS requirements, should be

included in CCCS Evaluation period’s revisions.

Security Target and/or relevant Protection Profile applied for certification be analysed in

detail by Inspection Expert(s). also CCTL’s evaluation procedures, Evaluation Technical Sub

Reports and Evaluation Technical Report are analysed.



6

In case of necessity; Common Criteria Inspection Expert with CCTL and product developer;

makes provision for Evaluation Work Plan updating due to problems seen in potential

deviations and so on.

Main events realized in the evaluation period shall be recorded to “Work Unit Table” which

belongs to product by Inspection Expert(s):

1. The Work Unit Table includes Common Criteria Inspection Expert(s)’s decisions

relative to the Evaluation Technical Sub Reports and Evaluation Technical Report.

2. Work Unit Table also includes the observation reports which has been noted as

important by Common Criteria Inspection Experts and relative conclusions with

these.

Work Unit Table is composed of both, main record of events occured during the evaluation

period and time information. At the end of Evaluation period Common Criteria Inspection

Expert acknowledges also the Work Unit Table with other documents to Common Criteria

Technical Responsible. Common Criteria Technical Responsible controls if Work Unit Table

is compatible with referred documents or not and approves the Work Unit Table.

During evaluation period Common Criteria Inspection Expert(s) consider Common Criteria

Standards, Common Evaluation Methodology, international and national official Common

Criteria Standard comments, relevant Common Criteria Certification Center publications and

TSE’s CCCS procedures.

Substantially, product evaluations’ and Protection Profile evaluations’ performed within the

CCCS are as follows:

3.1 PRODUCT EVALUATION

Common Criteria Inspection Expert(s) analyses Security Target of product if the Common

Criteria Standards have been addressed or not. During this examination, tries to find the

answers to following questions:

Does the TOE Environment appear sound?

Are the assumptions appropriate, or should they be stated as threats?



7

Do the threat statements contain a threat agent, asset that is threatened, and the attack?

Does the attack contain the method of attack and the result of the attack?

Are the objectives consistent with respect to the assumptions, threats, and

Organizational Security Policies?

Does the objective rationale take the right approach in describing how the objectives

counter or mitigate the threats?

Are the requirements section largely complete, with all operations (especially

assignment, refinement, and iteration) performed?

Do the operations appear to be performed correctly?

Do application notes levy requirements that are not allowed?

Does the TOE Security Specification describe security functions? Does it describe

how the security functions "meet" the requirements in the TOE requirements section?

Does the TOE Security Specification describe assurance measures?

If the ST claims that the TOE conforms to one or more PPs, does the ST provide an

explanation, justification and supporting material of this claim?

Does the ST clearly reference the PP?

Does the ST provide a clear PP tailoring statement, and, if applicable, a PP additions

statement?

3.2 EVALUATION OF PROTECTION PROFILE

Common Criteria Inspection Expert(s) analyses Protection Profile if the Common Criteria

Standards have been addressed or not. During this examination, tries to find the answers to

following questions:

Does the TOE Environment appear sound? Are the assumptions appropriate, or should

they be stated as threats? Do the threat statements contain a threat agent, asset that is

threatened, and the attack? Does the attack contain the method of attack and the result

of the attack?

Are the objectives consistent with respect to the assumptions, threats, and

Organizational Security Policies? Does the objective rationale take the right approach

in describing how the objectives counter or mitigate the threats?



8

Are the requirements section largely complete, with all operations (especially

assignment, refinement, and iteration) performed? Do the operations appear to be

performed correctly? Do application notes levy requirements that are not allowed?

Does the PP describe implementation-independent sets of security requirements

adequate for a category of TOEs and contain a statement of the security problem that a

compliant product is intended to solve?

The most important difference of PP evaluation period from ST evaluation period is the

evaluation consists of evaluating only one assurance level (APE).

3.3 EVALUATION OF ASSURANCE CLASSES

Every assurance class’s evaluation period due to the deadline, specified in the “Evaluation

Work Plan”, “evaluation technical sub report” is sent from CCTL to CCCS’s Common

Criteria Inspection Expert responsible of the product. Common Criteria Inspection Expert

analyses all “evaluation technical sub reports”. The objective is to reimburse the accuracy of

CCTL evaluations’, and to take info about CCTL is following the evaluation procedures and

is keeping records of results.

Common Criteria Inspection Expert’s decision shall be in three forms as ‘positive’, ‘negative’

or ‘missing’.

a. Assurance Class positive

CCTL’s evaluation about the relevant assurance class has been completed and taken the result

that alleged assurance class is corresponded by TOE. As a result of Common Criteria

Inspection Expert’s observation on the report that came from CCTL, is concluded that

CCTL’s judgement is valid.

b. Assurance Class negative

CCTL’s evaluation about the relevant assurance class has been completed and taken the result

that alleged assurance level is not corresponded by TOE. As a result of Common Criteria

Inspection Expert’s observation on the report that came from CCTL, is concluded that

CCTL’s judgement is valid.

c. Assurance Class not-completed

CCTL’s evaluation about the relevant assurance class has not been completed between the

period specified in Evaluation Work Plan or CCTL’s work has been completed; but as a result

of Common Criteria Inspection Expert’s analyse on the report came from CCTL, it is decided



9

that CCTL’s work or the report is missing. Common Criteria Inspection Expert forwards to

CCTL his opinion about the report by filling the Observation Decision Form.

a) In case of an Observation Decision is positive, CCTL passes the next class’s

evaluation.

b) In case of an Observation Decision is negative, a meeting is hold with the participation

of CCCS, CCTL and product developers. At this meeting be decided to terminate the

process or to keep the process going by updating the Evaluation Work plan.

c) In case of an Observation Decision is not-completed, CCTL may send to CCCS the

revised evaluation technical sub report as completing the missing parts or a meeting

that would be participated by CCTL may be hold and in case of need also the product

developer may be asked to participate to the meeting. At this meeting, it shall be

decided either to terminate the process or to keep the process going by updating the

“Evaluation Work plan”.

3.4 TESTS AND VULNERABILITY ANALYSIS ASSURANCE CLASSES

Before to start the assurance class’s evaluation, test scripts and vulnerability analysis

implementation scripts shall be sent to CCCS by CCTL.

Common Criteria Inspection Expert is responsible for evaluation of Test Plan sent by CCTL.

After Inspection Expert(s) has/have evaluated the Test Plan-test scripts, he/she writes his/her

evaluation comments to the Observation Decision (Verdict) form and sends to CCTL.

If there is an External Inspection Expert(s) is/are assigned to that Project in the case of need,

then it is the duty of the External Inspection Expert to evaluate the Test Plan- test scripts and

fill the Observation Decision form and send it to the related CCCS Inspection Expert in order

to transmit to CCTL. The related CCCS Inspection Expert approves Observation Decision

form which has filled by the External Inspection Expert and sends it to CCTL.

Common Criteria Inspection Expert(s) and/or External Inspection Expert (if assigned) write

their comments about Test Plan and scripts and fill the Observation Decision Form as:



10

a) In case of an Observation Decision is positive; it means that Test Plan prepared by

CCTL is satisfactory so there is no need to additional test scripts.

b) In case of an Observation Decision is negative; it means that Test Plan prepared by

CCTL is not enough and also not suitable with the related product, so there is need to

additional test scripts.

c) In case of an Observation Decision is not-completed; it means that Test Plan prepared

by CCTL is not enough, so there is need to additional test scripts.

After Common Criteria Inspection Expert(s) and/or External Inspection Expert (if assigned)

have evaluated relating scripts and sent Observation Decision to CCTL; “Test and

Vulnerability Analysis Planning Meeting” shall be conducted between CCCS authorities,

External Inspection Expert(s) (if assigned) and CCTL authorities according to the meeting

date on Evaluation Work Plan. At this meeting the result of Observation Decision sent to

CCTL is discussed and whether the test and vulnerability analysis activities planned for the

product is enough or not, additional tests are needed or not. Furthermore it also be decided at

this meeting if CCCS’s authorized personnel will participate to the test and vulnerability

analysis activities as observer.

3.5 EVALUATION OF EVALUATION TECHNICAL REPORT

“Evaluation Technical Report”(ETR) includes all results that CCTL acquired during the

evaluation period. Additional to evaluation results other information that must be in ETR are

explained in detail at CEM document. ETR that forms the final output of CCTL provides

these conditions and evaluation proofs, confirming that a specific evaluation step or

workpiece overlaps with the decision is one of the most important responsibility of CCCS and

relevant Common Criteria Inspection Expert.

The same procedures shall be realized for Evaluation Technical Report sent from CCTL to

CCCS. Common Criteria Inspection Expert after analysing the Evaluation Technical Report

informs the result and the date of “ETR Control Meeting” that shall be hold to CCTL with the

Observation Decision Form. The evaluation period shall be concluded in case of determining

ETR’s original or revised version is suitable for CEM by Inspection Expert.

To be presented by ETR, a detailed summary of TOE or PP shall be icluded; info about how

the evaluation to be done, all evaluation proofs in the evaluation period, all relevant records



11

and evaluation results. It must be existed and explained within the ETR also Observation

Reports (OR).

Common Criteria Inspection Expert(s), before giving opinion on ST/PP; analyses the ETR.

While analysing, Inspection Expert confirms that document is apparent, information is

completed and it matches with evaluation analysis. Common Criteria Inspection Expert(s),

while analysing ETR evaluates every decision one by one, confirms if the information

concerning the logic which supports CCTL’s related decision is true and complete. Common

Criteria Inspection Expert(s) gets the info that makes sure himself that there is no

incoordination between ETR and ST/PP.

3.6 MEETINGS

In this part, the meetings which shall be conducted during the evaluation period are being

described;

Kick-Off Meeting:

Common Criteria Inspection Expert(s) / Common Criteria Technical Responsible, CCTL and

product developer, attend this meeting. The objective of Kick-Off meeting is to enable parties

familiarize with each other, to define the roles, enable communication between parties and to

determine the document flow methods, explaning the expectations and revising the evaluation

work plan. At the time of meeting; “Manufacturer Company Approval Form” be fullfiled and

signed by product developer for “Products List”. Meeting record which also includes the

parties contact info be sent all parties ordered by CCCS Inspection Experts / Technical

Responsible.

Meeting of Product Training:

Common Criteria Inspection Expert(s) / Common Criteria Technical Responsible, External

Inspection Expert (if assigned) and CCTL and product developers attend this meeting.

Location and date of meeting shall be specified at the kick-off meeting. It is the meeting

where the product or protection profile is being advertised, CCCS and CCTL’s questions are

answered by product developer. Evaluation findings may be handed over to CCTL at this

meeting. After this meeting, TOE related set-up may be implemented. Meeting minuts shall

be recorded.



12

Laboratory Orientation Meeting:

Common Criteria Inspection Expert(s) / Common Criteria Technical Responsible, and CCTL

attend this meeting. Location and date of meeting shall be specified at the kick-off meeting.

At this meeting “Evaluation Work Plan” shall be revised and finalized. CCCS’s expectations

concerning the evaluating and reporting activities pertaining to TOE shall be sent to CCTL.

Other subjects related with the product shall be settled. Meeting minutes shall be recorded.

Test and Vulnerability Analysis Planning Meeting:

Common Criteria Inspection Expert(s) / Common Criteria Technical Responsible, External

Inspection Expert (if assigned) and CCTL attends this meeting. Date of meeting shall be

specified in “Evaluation Work Plan”. At this meeting test and vulnerability analysis methods

shall be discussed. CCCS’s participation to tests as observer shall be decided at this meeting.

The records which are arrenged at the time of test and vulnerability analysis activities shall be

specified. Meeting minutes shall be recorded.

ETR Revision Meeting:

Common Criteria Inspection Expert(s) / Common Criteria Technical Responsible, and CCTL

attends this meeting. Meeting shall be held after the ETR evaluated by CCCS. At this

meeting, the defects confirmed about ETR and corrections must be done by CCTL be

transfered to CCTL. Meeting minutes shall be recorded. If the ETR is completely sufficient

ETR is approved by CCCS and the evaluation period ends with this meeting.

Technical Meetings:

Participation in the technical meetings shall be taken into consideration regarding the meeting

agenda. In any phase of evaluation period CCTL, product developer or CCCS may request a

meeting. Meeting request shall be declared to CCCS, CCCS after being interviewed with all

related parties determines the meeting agenda and date.

3.7 OBSERVATION REPORT/OBSERVATION DECISION

Observation Report is sent to CCCS being prepared by CCTL or product developer. The

objective is to explain the problem by observation and to adjudicate by CCCS.

Observation reports, in the period of evaluation;



13

In case of conflicts between the parties or subjects that are not adjudicated

About the defects in Evaluation Work Plan,

Shall be prepared by CCTL or product developer using Observation Reporting Form.

Observation Decision shall be prepared by CCCS and sent to CCTL or product developer.

Observation Decisions in the period of evaluation;

as answer to the observation reports prepared by CCTL or product developer,

About the defects in Evaluation work plan,

After the evaluation technical sub reports and evaluation technical report prepared by

CCTL be evaluated by CCCS,

And in any other cases if needed, shall be prepared by Certification/Inspection Expert using

Observation Decision Form.

3.8 OBSERVATION NOTES

Observation Notes shall be compiled by using Observation Notes Form for the reporting

operations submitted at the end of activities as such points which the CCCS authorities would

like to note in addition to laboratory visits and meeting records during the evoluation period.

3.9 PRODUCT LIST

Certification expert enters product developer/sponsor’s choice explained at Kick-Off Meeting

about publishing of product info into the TSE Certification Management System. In case of

the preference is being ‘LIST’; current “Product List” shall be taken from system by

certification expert. Updated list, related certificate, Certificate Report and Security Target

shall be sent to Department of Data Processing to publish at www.tse.org.tr by Common

Criteria Certification Scheme link.

In case of the preference is being ‘NOT LIST’ the product information and Certification

Report will not be published and according to the “Common Criteria Recognation

Aggreement – Annex B.2”; the international CC mark can not be used with the product and

the certificate.

3.10 CERTIFICATION REPORT AND CERTIFICATE PREPARATION

After the evaluation period completed with accepting and approving the ETR by Common

Criteria Inspection Expert(s). Common Criteria Inspection Expert(s) composes the

http://www.tse.org.tr/



14

Certification Report by taking up references from all information and documents prepared by

CCTL.

Common Criteria Inspection Expert acknowledges “Certification Report”, “Work Unit

Table”, documents which cross-referred in “Work Unit Table” and all documents that has

examined during the evaluation period to Common Criteria Technical Responsible. Common

Criteria Technical Responsible controls the “Work Unit Table” and “Certification Report”. If

any defect or error would be detected during this examination, Common Criteria Inspection

Expert shall be notified in writing in effort to correct those findings.

Common Criteria Technical Responsible approves the “Work Unit Table” and submits the

“Certification Report” to the manager of Information Technologies Certification Department.

The stages coming after the approval of process “Certification Report” shall be continued

according to “Result Evaluation Procedure”.

In case of positive decision of Certification Committee, the certificate prepared according to

“Certificate Preparation Procedure” shall be given to the authorized personnel of the company

after signing the “License Agreement with Applicant Company”. Certificate Owner on this

product as specified in the license agreement obtains the right to use “TSE-Common Criteria

Compatibility Certificate”.

Maximum time period between the performance of the vulnerability analysis and the issuance

of a Common Criteria certificate is 3 months. If this time limit exceeded; CCCS shall request

the evaluation laboratory to do a re-assessment to verify that no relevant vulnerabilities are

published that might require an update of the evaluated product.

3.11 CERTIFICATE MAINTENANCE

Common Criteria Certificate is only valid for the product version appeared in the evaluation.

For the products that involves modification out of the certification scope, to take the same

security guarantee with the previous version by product user, new product version needs to be

taken to pre-evaluation by Common Criteria Certification Office. According to pre-evaluation

result, shall be conducted in two ways;



15

Product shall be taken to a new evaluation and an evaluation shall be performed for a

new Common Criteria Cetificate.

Product shall be taken to certificate maintenance period.

Product that is in the certificate maintenance period; shall be observed considering how much

the completed evaluation by evaluation laboratory shall be effected and together with the

additional functions published by the manufacturer shall be re-evaluated in the scope of

product components that effect to security features. A supplemental instrument shall be

issued for the new product version approved by CCCS Inspection Expert and reported by

evaluation laboratory that may provide necessary security assurance in the maintenance

period. It is annotated in the “Supplemental Instrument“ that it is not the main certificate and

shall be significant only if it is used with the certificate specified number and date. Other than

a new instrument not to be issued but the security assurance for the user is given with

‘Supplemental Instrument’ by CCCS. The validation of “Supplemental Instruments“’ depends

on the main certificate and because of the supplemental instrument does not include the all

product taking a Supplemental Instruments does not provide to extend the main certificate’s

validation. If the “Supplemental Instrument“ does not exceed the prescribed modification

criteria by TOE, CCCS and laboratory, it is issued in required number. Every Supplemental

Instrument refers to previous Supplemental Instruments and Main Certificate continuously

updated at CCCS website.

3.12 VALIDITY OF THE CERTIFICATE AND ASSURANCE CONTINUITY

The validity period for Common Criteria Certificates given is 3 years for the certified version

of TOE and for the specified TOE scope.

Where the product developer does not request an extension for the Certificate validity period

regarding the certified product 3 years after the date of issue of his/her certificate, the relevant

product will be archived BTBD-01-01-LS-14 CCCS Certified Product Follow and Archive

List.

Where, 3 years after the issue date of the product developer certificate, the certified version of

TOE and specified TOE scope have not been changed and where the certificate extension is

requested for the certified product, the product developer will send the “Vulnerability Search

and Notification Form” to the evaluation facility and certification authority no later than 100

days prior to the expiration of the validity period. The certificate validity period will be

extended where there is no change to TOE and where no gap, which affects the specified TOE

scope, is found according to the assessment.



16

Where there is a change to the certified version of TOE and to the specified TOE scope and/or

where a gap, which affects the specified TOE scope, is found, a process will be conducted as

per the “BTBD-01-01-PR-07 Assurance Continuity” procedure*.

*An assessment will be made by considering if the product change is minor or major and the

probable gaps, etc… that the new attacks will bring about on the product.

4. ORGANIZATION

In the scope of Common Criteria certification, evaluation and inspection activities terms of

reference of all titles replaced in CCCS’s Organization Chart and Certification Committee

that completes the CCCS activities, “Expert Approve Committee” and “Exception and

Complaint Committee” and “Product Certification Activities Consulting Committee”

formation and business instructions shall be approved and as system document shall be in

possession of Management Representative.

5. EVALUATION LABORATORY

CCCS, laboratories which has signed an agreement with TSE that includes confidentiality and

also conflict of interests in the scope of Common Criteria Certification activities for tests and

evaluations that must be done on the products serves in CCCS period as ‘Approved

Laboratory’.

Public and/or private laboratories that are in an effort to work as evaluation laboratory making

the preparations according to the ‘Common Criteria Evaluation Laboratory Licensing

Publication’ document that includes the principals relating to licensing control to implement

the licensing operations at www.tse.org.tr and linked as Common Criteria Certification

Scheme, and make official application to CCCS.

Laboratory that shall be assigned in any certification application, shall be determined by

CCCS, considering the competency and equity principals. CCCS manages a licensing audit

for the request.

Licensing audit shall be implemented with the aim of;

If corresponds or not to the accreditation rules in the scope of TS EN ISO/IEC

17025 standard, observation of system’s effectiveness from the records,




17

Confirming of Common Criteria standard and Common Evaluation Methodology

dominance,

Acknowledgement of equipment and personnel competence.

by Evaluation Laboratory.

In case of coming successful the licensing audit; laboratory takes “interim license” and;

The name of Laboratory shall be declared to Software Test and Certification

Department System Management and have it booked in “CCCS Approved Laboratory

List”.

List’s actual version shall be announced at www.tse.org.tr with Common Criteria

Certification Scheme link.

The Laboratory with interim license, performes an evaluation at EAL level 4 under the

supervision of CCCS within one year. This evaluation reports shall be sent to CCCS. If it is

decided that evaluation is appropriate to Common Criteria Standard, Evaluation

Methodology, CCCS Procedures and Common Criteria Recognition Agreement (CCRA)

requirements “permanent license” shall be given to laboratory and it is declared officially to

laboratory.

In the case of if the laboratory is already being a licensed CC laboratory of any other CC

Certification Scheme, then one of the EAL 4 level evaluation in the last one year can be

examined according to the rules above, if this other Certification Body is “Authorizing” then,

one of the certificed product by that laboratory in the address of

www.commoncriteriaportal.org is accepted as evidence for EAL 4 evaluation.

After that; periodicly once a year interim audits shall be conducted on the evaluation

laboratory by CCCS.

6. QUALITY SYSTEM


http://www.commoncriteriaportal.org/



18

Common Criteria Certification Scheme Quality System shall be implemented to provide the

requirements on a basis of

Common Criteria Recognition Agreement (CCRA),

TS EN ISO/IEC 17065:2012 Conformity assessment -- Requirements for bodies

certifying products, processes and services standard,

With ISO/IEC/Common Criteria Administrative Board guide documents (Guidebook

23, 27, 28, 53, 62 and 65) and Standards (CC and CEM) Published related with the

Common Criteria certification, examination and evaluation activities,

TSE Legislation growing from regulations and instructions that composes TSE

activities.

CCCS serves within the framework of principles determined in legal regulation according

quality policy modified by senior management and CCCS Quality Manual.

It has been ensured Quality Policy found in CCCS Quality Manual Section 8 to be announced

to all assigned personnel in Common Criteria Certification Scheme activities. In service

trainings shall be organized for quality policy to be understood and to be executed by the

personnel and at the same time trainings related with quality policy, shall be forming a

component of orientation trainings. Certain Criterias have been composed for continuous

training, assignment and performance evaluation of Certification and Inspection Experts who

will work for product certification activities and in this context, applications shall be realized

in accordance with the Training Procedure.

Quality targets of Common Criteria Certification Scheme targets have been determined and

they’re being tracked by Strategic Development Department and relevant directorates.

Evaluation of targets is one of the agenda item of Management Review Meetings. The

realization level of targets are being observed by Senior Management during these meetings

periodically and reasons of failure are being questioned, additional precautions are being

taken to eliminate these factors, if needed. Tracking and record of these activities shall be

maintained by System Management responsible in the name of Common Criteria Certification

Scheme within the Software Test and Certification Department.



19

It is mandatory to utilize Common Criteria Certification Scheme quality system represented in

Quality Manual with details, by all personnel. Head of Software Test and Certification

Department is responsible for accepting quality system by all personnel and practise

effectively. CCCS Quality System Responsible is responsible for contolling and auditing of

activities’ accordance to quality system.

Information Technologies Test and Certification Department Management Representative is

assigned by TSE Administrative Council to execute certification activities of Common

Criteria Certification Scheme within the framework of system composed according to

international standards and guidebooks, to build a system suitable to the structure,

documentation, execution, and with the aim of providing continuity and it is guaranteed to

contact with senior management directly.

The continuance of quality system of Common Criteria Certification Scheme be evaluated in

internal inspections and Management Contol Meetings. Furthermore nonconformities

appeared during activities required corrective and preventive activities be hold according to

Corrective and Preventive Action Procedure.

7. OBJECTIONS AND COMPLAINTS

Also including the Common Criteria certification, inspection and evaluation activities written

objections about certification decision are being submitted to the “Objection and Complaint

Committee” according to “Objections, Complaints and Disputes Evaluation Procedure” by

CCCS Certification Experts and are being concluded being evaluated by the Committee.

All complaints and conflicts written/oral about the Common Criteria certificaton, examination

and evaluation activities being recorded by CCCS, required corrective and preventive actions

to be started and tracked. Complaints and disputes that are not reaching to a satisfactory

solution within the framework of “Objections, Complaints and Disputes Evaluation

Procedure” shall be taken into the agenda of “Objections and Complaints Committee” and all

relevant records periodically shall be sent to Information Technologies Test and Certification



20

Department. The results of corrective and preventive actions also be taken into the agenda of

management control meetings.

8. CONFIDENTIALITY, EQUITY AND INFORMATION SECURITY

CCCS certification activities shall be conducted according to the principles specified in

“CCCS Confidentiality, Independency and Equity Angagement” published by the Head of

TSE, shall be subscribed during the certification application by “Acceptance and

Confidentiality Agreement” signed between the product owner company and TSE. Conflict of

interests are defined related to the services of Head of Software Test and Certification

Department and according to the “Conflict of Interests Instructions” that considers required

precautions; it is forbidden to Software Test and Certification Department personnel, his

family or a neighbour, to derive personal benefit from his position in TSE, to be in contact

with organizations that may derive benefit from his decisions or confidential informations.

Confidentiality and equity principles are being applied in all phases of evaluation and

certification decision; certification, examination and evaluation activities are being held

objectively by person and instituitions out of CCCS. Examination and evaluation activities

shall be held regardless of company ranking, former relationship with CCCS, certificated

product quantity and all other factors.

The primery assets for CCCS are; Customers and product information, evaluation laboratory

and certification records are under protection. CCCS information assets are protected against

access without permission and can not be given to any person without authority on objective

or accidently. Protection against an authorized person shall be provided to protect the integrity

of information. Execution of “CCCS Data Security Instruction” is important to show our

honesty and to carry on with the parties that we are serving. Precautions which are taken to

protect the confidentiality of information and produced records during the certification

activities are defined in procedures and instructions. Furthermore with the confidentiality and

equity agreement signed with Information Technologies Test and Certification Department;

whole personnel, assigned experts and Committee Members are prohibited to forwarding the

informations to third parties belonging to companies benefit from certification servives unless

written permission of supplier. On the other hand with secure archiving environments it is

prohibited also the usage and copying of documents of companies except the authorized

personnel.



21

While the documents and records relating to certification that have no security level are being

saved in TSE archives, examination, evaluation and conservation of all documents related

with the product and laboratory evaluation is being hold in “Secure Office” according to

CCCS “Secure Office Physical Security Instruction”. Any deliberate action that will endanger

the security of informations which belong to CCCS and product of CCCS or product,

manufacturer, evaluation laboratory or any sub process of certification process shall be

subjected to disciplinary punishment and/or legal caution.

As far as the conditions that requires giving out informations of companies to third parties in

accordance with law, company benefiting from certification, examination and evaluation

services, shall be informed by the Head of Information Technologies Test and Certification

Department technically permissible by law.

turkish standards institution common criteria ... · turkish standardisation institution common...

Documents